CVE-2025-12336 identifies an SQL injection vulnerability in Campcodes Retro Basketball Shoes Online Store version 1.0, located in the /admin/admin_index.php file. The vulnerability arises from improper sanitization of the Username parameter, which is directly used in SQL queries without adequate validation or parameterization. This flaw allows remote attackers to inject malicious SQL code, potentially enabling unauthorized access to the backend database, data exfiltration, modification, or deletion of records. The vulnerability requires no authentication or user interaction, making it exploitable remotely with low attack complexity. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L) indicates network attack vector, no privileges or user interaction needed, and low impact on confidentiality, integrity, and availability individually, but combined they represent a significant risk. No patches are currently linked, and while no active exploitation is reported, a public exploit is available, increasing the urgency for remediation. The vulnerability affects only version 1.0 of the product, suggesting that upgrading or patching is critical. The lack of CWE identifiers limits detailed classification, but the nature of the flaw is consistent with classic SQL injection issues. This vulnerability could be leveraged to compromise customer data, payment information, or administrative controls, impacting business operations and customer trust.

For European organizations using the Campcodes Retro Basketball Shoes Online Store platform, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of sensitive data, including customer personal information and payment details. Exploitation could lead to unauthorized data disclosure, data tampering, or deletion, potentially resulting in financial losses, regulatory penalties under GDPR, and reputational damage. The remote, unauthenticated nature of the exploit increases the attack surface, making it easier for threat actors to target vulnerable installations. Disruption of the online store’s administrative functions could also impair business continuity. Given the e-commerce context, the vulnerability could facilitate fraud or identity theft if exploited. The medium severity rating suggests moderate but non-trivial impact, emphasizing the need for timely mitigation to prevent escalation or chaining with other vulnerabilities.

1. Immediately review and update the SQL query handling in /admin/admin_index.php to use parameterized queries or prepared statements, eliminating direct concatenation of user input. 2. Implement strict input validation and sanitization on the Username parameter to reject malicious payloads. 3. Conduct a comprehensive security audit of the entire application to identify and remediate similar injection points. 4. If available, apply official patches or updates from Campcodes; if not, consider upgrading to a newer, secure version. 5. Employ Web Application Firewalls (WAF) with rules tailored to detect and block SQL injection attempts targeting this endpoint. 6. Monitor logs for unusual query patterns or repeated failed login attempts indicative of exploitation attempts. 7. Restrict access to the /admin/ directory using IP whitelisting or VPN access controls to reduce exposure. 8. Educate development teams on secure coding practices to prevent recurrence of injection flaws. 9. Backup critical data regularly to enable recovery in case of data corruption or deletion. 10. Coordinate with incident response teams to prepare for potential exploitation scenarios.